WordPress Plugin Vulnerabilities

W4 Post List < 2.4.5 - Contributor+ Stored XSS

Description

The plugin does not sanitise and escape the w4pl[no_items_text] parameter, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
w4-post-list
Fixed in 2.4.5

References

CVE
CVE-2023-27413

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
6561723d-3987-4a52-8549-d563d69d1457

Timeline

Publicly Published
2023-03-08 (about 3 years ago)
Added
2023-06-22 (about 2 years ago)
Last Updated
2023-06-22 (about 2 years ago)

Other

Published
Title
Published
2025-06-03
Title
Faculty Staff and Student Directory Plugin – Campus Directory < 1.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-06-06
Title
RestroPress – Online Food Ordering System < 3.1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-01-22
Title
The Events Calendar < 6.9.1 - Contributor+ Stored XSS
Published
2021-05-16
Title
Mediumish <= 1.0.47 - Unauthenticated Reflected Cross-Site Scripting (XSS)
Published
2024-12-30
Title
GeoDirectory < 2.3.85 - Authenticated (Contributor+) Stored Cross-Site Scripting